FBI goes after Anonymous for pro-WikiLeaks DDoS attacks

Membership in the online group Anonymous has it privileges. The FBI has …

The FBI has joined in the hunt for those who participated in the retaliation attacks against companies that cut off services to WikiLeaks, executing more than 40 search warrants across the United States on Thursday, the bureau announced.

In what seem to be timed raids, British police arrested five men Thursday morning who allegedly participated in the Anonymous group’s denial of service attacks on Visa, Mastercard, Paypal and Amazon in mid-December. Anonymous was seeking to bring attention to—and punish—the financial-service companies’ decisions to prohibit donations to Wikileaks. Amazon was targeted after it kicked Wikileaks off its Web-hosting service.

The attacks caused no permanent damage, as they simply temporarily overloaded a website with more traffic than the server could handle. They were, for the most part, really nothing more than the cyber equivalent of a campus sit-in.

“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability,” the FBI said in a press release. The FBI did not announce any arrests in conjunction with the searches.

In the attacks on the financial-service companies, thousands downloaded a tool called LOIC—or Low Orbit Ion Cannon—that joined their computer to the group attack on the target of the moment. However, the tool did nothing to hide a user’s IP address, making it possible for the target website to hand its server logs over to the authorities to track users down by their IP addresses.

The denial-of-service attacks attempted to shut down the websites of Visa and MasterCard—which would have had little effect on the credit card giants, since few people ever visit their homepages. However the attack on PayPal focused on the interface used by online merchants, and reportedly caused some slowness, though no outages, to merchants for several hours.

The companies, along with Amazon, turned their backs on Wikileaks after the site began releasing US diplomatic cables in conjunction with newspapers, saying the organization violated their terms-of-service agreements. However, none of the companies have cut off services to newspapers such as The New York Times that have extensively reported on and reproduced many of the cables. Wikileaks has not been charged with any crimes related to the leaked documents.

Or, if you want to at least LOOK impartial, you can put the words "Some people argue" in front of all of those unsupported arguments quoted above.

Why would you want to be impartial? I'm rather partial towards the fact that 1+1=2, myself. Just because some people feel that anything goes in the fight against wikileaks doesn't mean that's a reasonable opinion.

Calling for impartiality is a non-argument. If you believe that the actions surrounding the DoS were severe enough to deserve this response, make that argument. However, given the trivial damage caused, and in the light of the far greater risk of mismanagement and power-abuse (and the proof time and time again that these risks are real) I'd say the oversight should be better targeted where it actually might matter: namely at those in power.

400+ man-years in prison is completely out of proportion to the act. God forbid I accidentally misuse the ping command, or install broken software on my computer that sends too many packets to a server.

I mean because thats the same of intentionally using software to attack a website I got you.

Or, if you want to at least LOOK impartial, you can put the words "Some people argue" in front of all of those unsupported arguments quoted above.

Why would you want to be impartial? I'm rather partial towards the fact that 1+1=2, myself. Just because some people feel that anything goes in the fight against wikileaks doesn't mean that's a reasonable opinion.

Calling for impartiality is a non-argument. If you believe that the actions surrounding the DoS were severe enough to deserve this response, make that argument. However, given the trivial damage caused, and in the light of the far greater risk of mismanagement and power-abuse (and the proof time and time again that these risks are real) I'd say the oversight should be better targeted where it actually might matter: namely at those in power.

I'm actually not making an argument about the DDOS issue at all, I'm criticizing the author for making comments all throughout his 'report' that make it clear what side he's on. It's kind of a technicality, but it bothers me and wouldn't be allowed in a real newspaper outside of an editorial or opinion piece. <troll>If he had done his job and wanted to report on the counter-arguments, then he'd have found some actual facts that could be used in the comment-scrum, such as whether any damage, in reality, was actually done by the DDOS. I want to edit his article and add those "[needs citation]" marks that Wikipedia uses in these little asides. </troll>

I did predict that there would be more after the first arrest in this issue. I think the issue is more serious than a campus sit in, the service that was DDOS was the authentication server where people needed to sign in to complete purchases.

So the attacks did prevent transactions from occurring and regular people should not be prevented from buying something because some interenet group is mad at a credit card company. Reguardless to what some people may think credit card companies aren't required to do business with everyone.

lost_packet wrote:

hey, why not go after the people that DDoS'd Wkileaks....oh that's right you won't because a big part of the US is a bunch of hypocrites. Land of the free and brave my ass.

The FBI can't go after the people that DDOS'd wikileaks because of jursidiction. It is the responisbility of the authorities where ever wikileaks is based to investigate crimes which happen in their terrority.

The hypocritical thing is that if the FBI was investigating the wikileaks attacks you would be complaining about how the US is violating the sovereignty of another country.

Of course I don't see why you seem to think that an entire population of a country has to agree with your personal opinions.

This is a good point. Serious question, but did Wikileaks file a complaint with the FBI over those attacks?

WikiLeaks is not based in the U.S. so the FBI doesn't really have jurisdiction, and if WikiLeaks wanted to go after U.S. citizens that they think were part of the DDoS attack on their servers they would have to contact the FBI and work with them -- which I doubt they have.

I'm not saying that someone shouldn't go after the people responsible for DDoS'ing the WikiLeaks servers -- it's just that the FBI isn't the organization to do so.

I'm actually not making an argument about the DDOS issue at all, I'm criticizing the author for making comments all throughout his 'report' that make it clear what side he's on. It's kind of a technicality, but it bothers me and wouldn't be allowed in a real newspaper outside of an editorial or opinion piece. <troll>If he had done his job and wanted to report on the counter-arguments, then he'd have found some actual facts that could be used in the comment-scrum, such as whether any damage, in reality, was actually done by the DDOS. I want to edit his article and add those "[needs citation]" marks that Wikipedia uses in these little asides. </troll>

You have read other Ars articles right? You do know that editorial content is the norm for Ars right?

Sitting-in is a form of passive resistance... Participating in a DoS is actively trying to knock a site off the web. I used the word actively intentionally, as it's something that wouldn't happen if you or someone else wasn't causing your computer to do it intentionally.

No, sitting-in is actively going to the place of business whose principles you dislike and occupying the space it needs in order to do its business. Just as a one-person-per-computer DDoS (as opposed to a botnet attack) is actively going to the website of a business whose principles you dislike and occupying the space (in the form of available server connections) it needs in order to do business. They're about as analogous as any realworld/internet situation is ever likely to get.

"But wait, Anonymous used the LOIC to request the website LOTS of times, whereas a real visitor only requests it once!" - yep, true. And a sit-in involves sitting in (for example) a restaurant's booth and neither ordering nor leaving, where a real customer would order a product, consume it, and leave. In both situations, the goals are to deny a business use of its resources to make money, and to make a visible impact to others while doing so.

aquasub wrote:

Really? 1 person = 1 IP address? OT, but the RIAA would love to have you as a witness.

They'd enjoy it a lot less than you think, and you're missing the point - it's not simple to fix the effects of a DDoS by firewalling individual IP addresses as they make a nuisance of themselves... but it's no more complex (arguably, considerably LESS complex) than ejecting individual sit-in protesters from a physical space.

The point here is not that there is absolutely nothing wrong with DDoS'ing whoever you don't like - the point is that there's nothing more wrong with it than there is with a traditional sit-in. Again noting that we're talking about the sort of DDoS involving a bunch of schlubs using a tool like LIOC from their personal computers, not a botnet attack (which is more akin to feeding thousands of people some mythical brainwashing drug and forcing them to go do a sit-in for you).

400+ man-years in prison is completely out of proportion to the act. God forbid I accidentally misuse the ping command, or install broken software on my computer that sends too many packets to a server.

Don't do the crime if you can't do the time. Pretty simple. How does one use the ping command incorrectly and wouldn't eventually notice what you have done if you are proficient enough to mess around with ping commands? Would your one instance really matter much to larger business websites? When was the last time you installed broken software that created a DDoS issue? Amazingly it happens with a major website that was just in the news and happens to be coordinated with hundreds of other users attacking the same web site at the same time? Sounds pretty ridiculous, doesn't it?

I mean, what if the sun didn't come out tomorrow? If's and but's...candy and nuts...Merry Christmas or something like that.

Of course, this is mostly a red herring, because nobody used the LOIC tool "accidentally". Still, you'd better be really sure of yourself before you claim you could never, ever be a part of a DDoS without your knowledge.

400+ man-years in prison is completely out of proportion to the act. God forbid I accidentally misuse the ping command, or install broken software on my computer that sends too many packets to a server.

Don't do the crime if you can't do the time.

Lol, it's never that simple, otherwise the punishment for every crime would be death. There <b>is</b> such a thing as having punishments be appropriate to the crime. Though his example of "accidentally" sending enough packets to a server to cause it to crash is pretty improbable, he not wrong to question that the prison sentence seems disproportional to the crime.

Of course, this is mostly a red herring, because nobody used the LOIC tool "accidentally". Still, you'd better be really sure of yourself before you claim you could never, ever be a part of a DDoS without your knowledge.

I understand what you are saying, but what I was trying to say (poorly) is that when you make that error it doesn't happen with everything else that happened to the exact same websites on that day. Yes it can happen, but it doesn't result in what happened with people using LOIC...and would more than likely not involve any sort of FBI person(s) knocking at your door.

As for the software issue, look no further than the Windows 7 phone data usage to see how easy it is for apps to become unintentionally chatty. It's not hard to imagine an broken app that accesses a resource in a way that appears to be part of an existing DDoS,without involving any of the sarcastic crap you just spewed off.

Of course, this is mostly a red herring, because nobody used the LOIC tool "accidentally". Still, you'd better be really sure of yourself before you claim you could never, ever be a part of a DDoS without your knowledge.

I understand what you are saying, but what I was trying to say (poorly) is that when you make that error it doesn't happen with everything else that happened to the exact same websites on that day. Yes it can happen, but it doesn't result in what happened with people using LOIC...and would more than likely not involve any sort of FBI person(s) knocking at your door.

Worst case, you're the one guy in the country who happened to misconfigure software at exactly the wrong time, and it was coincidental to a DDoS attack. The FBI omehow can't tell the difference from traffic analysis, so they show up at your door and confiscate your computer equipment for forensic analysis. After some period of time, they figure out that the traffic came from misconfigured software rather than a malicious tool, and they apologize and return your gear to you.

This is astronomically unlikely (that it would happen at the same time as a voluntary (as opposed to botnet) DDoS attack, and cause traffic problems on the very same site, and with identical looking traffic. It would result in you being enormously inconvenienced. But ultimately, you still wouldn't get sentenced to prison.

Either US and UK law line up, or we're talking UK penalties for the hackers here:

"DDoS attacks, which bring down sites by bombarding them with repeated requests to load webpages, are illegal in the UK under the Computer Misuse Act and carry a maximum penalty of 10 years in prison and a £5,000 fine."

So either the quote, agent, or ars is wrong here. Or the UK newspapers I scanned I suppose.

As for the software issue, look no further than the Windows 7 phone data usage to see how easy it is for apps to become unintentionally chatty. It's not hard to imagine an broken app that accesses a resource in a way that appears to be part of an existing DDoS,without involving any of the sarcastic crap you just spewed off.

A chatty phone with bad software does not equal DDoS...and if that somehow happens it's not coordinated like LOIC typically is. Sarcastic or not it holds true either way and it's not crap any more than what you were stating about theoretical ideas that you have and proposed.

Curious...there's DDoS attacks happening every day in the United States. Do the FBI always get invovled in those? During this fiasco, wasn't there a DDoS against 4chan? Are the FBI hot on the trail of whomever did that?

And isn't Anonymous known for its sometimes evil sense of humor? Could it be that someone orchastrated the LOIC knowing it didn't hide the IP addy's, thinking it would be a huge LOL to see a bunch of kids wanting to make a difference get tied up in legal problems?

Civil disobedience is not to be undertaken lightly. I hope that each and every one of the DDoS participants is willing to go to jail for the cause.

Ding ding ding ding - this guy gets it.

The problem here is not that outed Anonymous members might go to jail over their acts of civil disobedience, the problem is that the jail time is way, way, WAY worse than that involved in the real-world equivalent to their actions (as has been mentioned before, a sit-in). If you're part of a sit-in, you might get thrown in a drunk tank for the night - if you're REALLY unlucky, you might get 30 or 90 days in the county pen. There's a big, big, BIG difference between "1-90 days" and "up to 10 years".

Jesse Finn wrote:

But I can't sit here and really allow someone to try and associate what Anonymous and cronnies did and will continue to do to the long term hardships of an entire race.

I'm not comparing "the plight of Anonymous" to "the plight of black people in America"; merely comparing the methods of civil disobedience used. Sorry if that pushed a button for you personally. Although, it's worth noting:

Jesse Finn wrote:

Anonymous would be more attributable to something more militant like the Black Panthers

... that this is blatantly wrong in the same way that equating black society as a whole to the Black Panthers would be.

I find the idea of a DoS attack being akin to a sit-in somewhat ridiculous.

Why? I'm being perfectly serious here - they seem quite analogous. A restaurant in the 50s which was full of black people "sitting in" to protest discrimination was unable to serve customers due to all resources being taken up by the "sit-in"-ers. How is this different from a website which is unable to serve webpages to customers due to DDoSers "sitting in" with their own personal computers?

The analogy is quite flawed. Sit-ins at a Woolworth's lunch counter in Greensboro, NC to protest Jim Crow laws did not prevent someone in a state that did not have Jim Crow laws from, say, buying gas.

In the case of the DDoS against PayPal, business across the world that have PayPal as a payment option lost sales due to the slowness of the PayPal sites responsiveness. - At the eCommerce company I work for, our sales with PayPal as a payment option were down nearly 50% during the DDoS periods, with no subsequent up-tick in credit card transactions. That means that people purchasing from our company abandoned their transactions when PayPal was slowed because of the DDoS. Like many other eCommerce companies, we are still struggling with the recession and are barley skating by - so the DDoS on PayPal has a direct affect on our bottom line, and our ability to hire more people, and to retain the folks we have.

And for what is it worth, a myself and a number of folks at the eCommerce company I work for support Wikileaks, and have donated to them - yet we are impacted by the childish DDoS of PayPal.

The point of the sit-ins at Woolworth were to draw attention to the Jim Crow laws, through national exposure and shame. The point of them was not pack the lunch counters with people who were unwilling to purchase from Woolworth, and thus run them out of business (to the contrary - the folks protesting at the lunch counters were trying to purchase food from Woolworth).

As opposed to a DDoS of PayPal, which hurts folks thousands of miles away that have nothing to do with PayPal's decision to stop accepting payments for Wikileaks, the more responsible form of protest would have been to have a coordinated mass cancellation of PayPal accounts - all bluntly stating that they are canceling their PayPal accounts, and then also informing merchants that accept PayPal that they would not do business with them if they continued to accept PayPal as a payment option.

Sit-ins at a Woolworth's lunch counter in Greensboro, NC to protest Jim Crow laws did not prevent someone in a state that did not have Jim Crow laws from, say, buying gas.

So? They prevented ANYONE from having lunch at that Woolworth's counter, whether they supported the Jim Crow laws or not.

The only real difference here is a difference of scale.

NewsIsNotNews wrote:

the more responsible form of protest would have been to have a coordinated mass cancellation of PayPal accounts - all bluntly stating that they are canceling their PayPal accounts, and then also informing merchants that accept PayPal that they would not do business with them if they continued to accept PayPal as a payment option.

Yes, and the more responsible way to protest the Jim Crow laws would be to stop patronizing public eateries which did not serve patrons of all races, and to inform all other restaurants that you wouldn't patronize them either if they continued to obey the Jim Crow laws.

However, it's not as effective as a sit-in, which is why people did sit-ins. QED.

I'm actually not making an argument about the DDOS issue at all, I'm criticizing the author for making comments all throughout his 'report' that make it clear what side he's on. It's kind of a technicality, but it bothers me and wouldn't be allowed in a real newspaper outside of an editorial or opinion piece. <troll>If he had done his job and wanted to report on the counter-arguments, then he'd have found some actual facts that could be used in the comment-scrum, such as whether any damage, in reality, was actually done by the DDOS. I want to edit his article and add those "[needs citation]" marks that Wikipedia uses in these little asides. </troll>

You have read other Ars articles right? You do know that editorial content is the norm for Ars right?

The attacks caused no permanent damage, as they simply temporarily overloaded a website with more traffic than the server could handle. They were, for the most part, really nothing more than the cyber equivalent of a campus sit-in

Oh, good grief, what drivel. PLEASE STOP republishing wired.com crap and get a competent writer to cover this stuff..

RIAA media smear policy to discredit publications that are against their agenda. d_jedi is just going through the motions here to sow the seeds of discontent for his bosses. Nothing new here.

The real story here is how the FBI is going after the retaliatory DoS attacks that are PRO Wikipedia but hasn't bothered to go after those doing DoS attacks against against Wikipedia in the first place.

The real story here is how the FBI is going after the retaliatory DoS attacks that are PRO Wikipedia but hasn't bothered to go after those doing DoS attacks against against Wikipedia in the first place.

400+ man-years in prison is completely out of proportion to the act. God forbid I accidentally misuse the ping command, or install broken software on my computer that sends too many packets to a server.

This raises an interesting point. What if I WAS simply using broken software, or what if I was part of a botnet or some such? Could I use that in my defence?

"The attacks caused no permanent damage, as they simply temporarily overloaded a website with more traffic than the server could handle. They were, for the most part, really nothing more than the cyber equivalent of a campus sit-in."

Bringing down a large company's website for a few hours can easily cost them millions of dollars in lost business.

As can flooding their offices with actual human beings sitting in and getting in the way. Hence the analogy.

A physical business can ask its customers to leave the premises. If they return, they can be trespassing.

...At the eCommerce company I work for, our sales with PayPal as a payment option were down nearly 50% during the DDoS periods, with no subsequent up-tick in credit card transactions...

So you're saying it's difficult to conduct commerce without PayPal? And your fallback was a credit card, would your company be able to survive if it required the customer to mail checks or show up with cash? So although there were technically alternatives, that didn't actually matter, losing access to just one major money processor put your business at risk?

Then I think the protesters made their point. Your right to conduct business is at the de facto whim of a few large companies. And personally, I'd consider that right one of the most important. If someone wants to offer their legal services for cash, even electronic cash, I'm amazed anybody would ok with anybody else stopping that, be they a company or the government. Some people wanted to donate money to a legal cause they cared about. As far as I know, there still haven't been any formal criminal charges leveled against Wikileaks. But Visa doesn't like Assange, so I don't get to (again, technically I can try to mail a check internationally. But as you point out, the existence of alternatives to digital money transfers doesn't mean they'll happen when credit cards aren't available).

That's the objection here. Throw in that the leaks reveal the US was lobbying on behalf of credit card firms, then those firms shut down attempts to fund the organizations who revealed the connection, and then the FBI starts throwing around threats of 10 years in prison if you take part in the protests against the credit card companies, and there is a very defensible argument that this is not ok. That is not free market behavior, that is not democratic behavior. Are DDOS attacks illegal? Yes. That's the point of civil disobedience. And maybe some of those participants are going to have to take their lumps and serve a spell in the penitentiary. But the point is to raise awareness about an injustice. Should it really be ok for credit card companies to play king maker with other businesses? Or if I've paid my fees, and the recipient has paid there's, and we aren't breaking the law, is it none of Master Card's business that the transaction go through?

Maybe you disagree. But at the very least you've got to concede that's a rational, defensible opinion to have. And if that particular injustice is the one you want to risk jail for, then all the power to you.